Oauth-token does not have proper permissions


#1

Hello!

We're dealing with a strange issue that has only started happening recently. We're trying to download lists from our Hubspot account, however instead we are getting this error message:

"This oauth-token (TOKEN) does not have proper permissions! (requires all of [contacts-lists-access])

We've made sure our request contains proper scopes to access contacts, here it is:

https://app.hubspot.com/oauth/authorize?client_id=CLIENT_ID&redirect_uri=https://app.ipg.ovh/ajax/integrations/hubspot/index&scope=contacts

What's most interesting to us is that we haven't made any changes to our HubSpot integration recently, and we've only noticed this problem today. We estimate that this has been going on for no longer than four days now. Do you guys have an idea about why is this happening? We've already tried to refresh the token but it did not help unfortunately.


#2

+1, also running into the same issue. Started happening recently from what I can gather (couple days at most).

Did anything change?


#4

+3

I've also running into the issue, what's happening?
I've triple-checked my App permissions and my code (that was working fine), what's happening on your API?

I think that we need an update!


#5

Guys, this is a serious issue.
Is there any developers inside hubspot that can help? The support is not able to assist on this issue and it seems that there is no one able to help, how should we do?
This experience is absolutely not good.


#6

Hi all,

We recently pushed a change that fixed a bug that had allowed portals without access to the list tool to access it via the API. This bug was related to portals that previously had access to the lists tool, but downgraded to a product tier that does not have access to the lists tool. While access to lists was removed in-app, it was still possible for portals in this state to access lists via the API.

@DaBa based on the token that you posted, it appears that your portal was in this situation. At your current product tier, your portal does not have access to the lists tool (and therefore the Contact Lists API).

@emmanuel.garcia & @Gerard_Fernandes it's tough to say for sure, but it's likely that your portals were in this state. To confirm, you can send me your Hub IDs and I can double check.

Also as a general note, please refrain from posting access tokens here on the forum; all topics are public, and posting tokens/hapikeys/etc. can compromise yours and others' security.


#7

Hi Derek,

thanks for you reply, the ID of the APP that give us this issue is: 30430
Could you check that and provide us info about unlocking this situation?

Can I also know which plans includes the CONTACTS LISTS?

Thanks a lot!


#8

Thanks for the response, it would be great if you could get confirmation on Hub ID: 2024142


#9

Thank you for your answer Derek.

I just want to make sure of one thing before we commit to and answer we'll give to our clients. When you say that the account now requires a higher product tier, you are talking about the account that we're trying to access via the API correct? It doesn't have to do with the account our HubSpot application is on, is that right? I am asking because we have contacted your chat support on this, and we were told that free accounts should have access to this functionality. So, we want to make sure which information is correct.

Also, is there a mention about this bug fix anywhere that we could link people to in case of questions? It would help us explain the sudden change in permissions.


#10

Hi all,

I'll try to address your posts individually, and in order:

  • @Dev_Team_LeadsBridge I actually need your Hub ID, or the ID of the portal installing the app. This particular issue isn't related to any change in app permissions, but rather a change in the tools a particular portal has access to.
  • @emmanuel.garcia that portal is actually a developer portal, which cannot have access to the lists tool. Did you see this issue with a test portal associated with this particular dev portal? Or did you intend to send me a different Hub ID?
  • @DaBa this issue is specifically related to Marketing/CRM portals that at one point had access to the Lists tool, but later downgraded to a product tier that no longer has access to the lists tool. This isn't related to a particular app, but rather an individual portal that has installed the app. Free accounts (Marketing/CRM Free) do not have access to the lists tool; only Marketing Basic, Pro, or Enterprise portals have access to the Lists tool. Regarding a mention of this fix; for minor corrective fixes like this, we don't usually create an announcement. I'd recommend linking folks with questions to this post; I'd be happy to answer any questions on this issue.

#11

Hi Derek, I have a separate question: Is there a OAuth scope that we can use in order for Hubspot to reject users without access to Lists? Currently we have contacts as a required scope, which apparently should include lists, but it's still allowing them to connect (and then I see the "contacts-lists-access" error again).

49%20AM


#12

Hi @emmanuel.garcia,

This isn't currently possible; if a customer's portal does not have access to lists, they will still be able to partially approve the contacts scope. This is generally a good thing; if this were not the case, Marketing/CRM Free/Starter customers wouldn't be able to use any integrations that needed access to the contacts scope.

In this particular case, it adds additional difficulty for you since you now need to catch and handle the 403 for customers without Lists that install your integration. We will eventually split the contacts scope into a contacts scope and a lists scope, so that you can require one or both. Customers without access to the Lists tool will not be able to approve the future lists scope, solving this problem.


#13

So, to be clear, Hubspot is planning to fix this new bug?


#14

Hi @The_Flatly_Team,

It depends on what you mean by 'new bug'. The original situation described in this topic is not a bug. Before this change, certain portals without access to the Lists tool still had access to the Contact Lists API. Going forward, portals without access to the Lists tool in-app will not have access to the Contacts Lists API.

That said, at the moment, if there are users with portals that do not have access to the Lists tool, you'll need to catch and handle the 403 errors that occur when trying to access the Contact Lists API. Going forward, we're working on splitting the list-related permissions from the contacts scope, so that you'll be able to request contacts and lists and avoid these errors. Stay tuned to our changelog and the Announcement category here on the forums for updates on that front.